From c0e6f37cb9a343a9074506a0f0a9af98546fc327 Mon Sep 17 00:00:00 2001
From: Felipe Pena <felipe@php.net>
Date: Sun, 1 Aug 2010 13:27:02 +0000
Subject: [PATCH] - Fixed bug #52484 (__set() ignores setting properties with
 empty names)

---
 NEWS                        |  2 ++
 Zend/tests/bug52484.phpt    | 19 +++++++++++++++++++
 Zend/tests/bug52484_2.phpt  | 19 +++++++++++++++++++
 Zend/tests/bug52484_3.phpt  | 19 +++++++++++++++++++
 Zend/zend_object_handlers.c | 31 ++++++++++++++++++++++++++++---
 5 files changed, 87 insertions(+), 3 deletions(-)
 create mode 100644 Zend/tests/bug52484.phpt
 create mode 100644 Zend/tests/bug52484_2.phpt
 create mode 100644 Zend/tests/bug52484_3.phpt

diff --git a/NEWS b/NEWS
index 352a57928c..bd38de0f02 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,8 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2010, PHP 5.3.4
 - Fixed bug #52487 (PDO::FETCH_INTO leaks memory). (Felipe)
+- Fixed bug #52484 (__set() ignores setting properties with empty names).
+  (Felipe)
 - Fixed bug #52436 (Compile error if systems do not have stdint.h)
   (Sriram Natarajan)
 
diff --git a/Zend/tests/bug52484.phpt b/Zend/tests/bug52484.phpt
new file mode 100644
index 0000000000..ccdf858f65
--- /dev/null
+++ b/Zend/tests/bug52484.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #52484 (__set() ignores setting properties with empty names)
+--FILE--
+<?php
+
+class A {	
+	function __unset($prop) {
+		unset($this->$prop);
+	}
+}
+
+$a = new A();
+$prop = null;
+
+unset($a->$prop);
+
+?>
+--EXPECTF--
+Fatal error: Cannot access empty property in %s on line %d
diff --git a/Zend/tests/bug52484_2.phpt b/Zend/tests/bug52484_2.phpt
new file mode 100644
index 0000000000..1639c81029
--- /dev/null
+++ b/Zend/tests/bug52484_2.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #52484.2 (__set() ignores setting properties with empty names)
+--FILE--
+<?php
+
+class A {
+	function __set($prop, $val) {
+		$this->$prop = $val;
+	}
+}
+
+$a = new A();
+$prop = null;
+
+$a->$prop = 2;
+
+?>
+--EXPECTF--
+Fatal error: Cannot access empty property in %s on line %d
diff --git a/Zend/tests/bug52484_3.phpt b/Zend/tests/bug52484_3.phpt
new file mode 100644
index 0000000000..20dde3d3c5
--- /dev/null
+++ b/Zend/tests/bug52484_3.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #52484.3 (__set() ignores setting properties with empty names)
+--FILE--
+<?php
+
+class A {	
+	function __get($prop) {
+		var_dump($this->$prop);
+	}
+}
+
+$a = new A();
+$prop = null;
+
+var_dump($a->$prop);
+
+?>
+--EXPECTF--
+Fatal error: Cannot access empty property in %s on line %d
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index 1399ef50d5..b91fcd0787 100644
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -340,7 +340,7 @@ zval *zend_std_read_property(zval *object, zval *member, int type TSRMLS_DC) /*
 	property_info = zend_get_property_info(zobj->ce, member, (zobj->ce->__get != NULL) TSRMLS_CC);
 
 	if (!property_info || zend_hash_quick_find(zobj->properties, property_info->name, property_info->name_length+1, property_info->h, (void **) &retval) == FAILURE) {
-		zend_guard *guard;
+		zend_guard *guard = NULL;
 
 		if (zobj->ce->__get &&
 		    zend_get_property_guard(zobj, property_info, member, &guard) == SUCCESS &&
@@ -373,6 +373,15 @@ zval *zend_std_read_property(zval *object, zval *member, int type TSRMLS_DC) /*
 			}
 			zval_ptr_dtor(&object);
 		} else {
+			if (zobj->ce->__get && guard && guard->in_get == 1) {
+				if (Z_STRVAL_P(member)[0] == '\0') {
+					if (Z_STRLEN_P(member) == 0) {
+						zend_error(E_ERROR, "Cannot access empty property");
+					} else {
+						zend_error(E_ERROR, "Cannot access property started with '\\0'");
+					}
+				}
+			}
 			if (!silent) {
 				zend_error(E_NOTICE,"Undefined property: %s::$%s", zobj->ce->name, Z_STRVAL_P(member));
 			}
@@ -437,7 +446,7 @@ static void zend_std_write_property(zval *object, zval *member, zval *value TSRM
 		}
 	} else {
 		int setter_done = 0;
-		zend_guard *guard;
+		zend_guard *guard = NULL;
 
 		if (zobj->ce->__set &&
 		    zend_get_property_guard(zobj, property_info, member, &guard) == SUCCESS &&
@@ -460,6 +469,14 @@ static void zend_std_write_property(zval *object, zval *member, zval *value TSRM
 				SEPARATE_ZVAL(&value);
 			}
 			zend_hash_quick_update(zobj->properties, property_info->name, property_info->name_length+1, property_info->h, &value, sizeof(zval *), (void **) &foo);
+		} else if (zobj->ce->__set && guard && guard->in_set == 1) {
+			if (Z_STRVAL_P(member)[0] == '\0') {
+				if (Z_STRLEN_P(member) == 0) {
+					zend_error(E_ERROR, "Cannot access empty property");
+				} else {
+					zend_error(E_ERROR, "Cannot access property started with '\\0'");
+				}
+			}
 		}
 	}
 
@@ -619,7 +636,7 @@ static void zend_std_unset_property(zval *object, zval *member TSRMLS_DC) /* {{{
 	property_info = zend_get_property_info(zobj->ce, member, (zobj->ce->__unset != NULL) TSRMLS_CC);
 
 	if (!property_info || zend_hash_quick_del(zobj->properties, property_info->name, property_info->name_length+1, property_info->h) == FAILURE) {
-		zend_guard *guard;
+		zend_guard *guard = NULL;
 
 		if (zobj->ce->__unset &&
 		    zend_get_property_guard(zobj, property_info, member, &guard) == SUCCESS &&
@@ -630,6 +647,14 @@ static void zend_std_unset_property(zval *object, zval *member TSRMLS_DC) /* {{{
 			zend_std_call_unsetter(object, member TSRMLS_CC);
 			guard->in_unset = 0;
 			zval_ptr_dtor(&object);
+		} else if (zobj->ce->__unset && guard && guard->in_unset == 1) {
+			if (Z_STRVAL_P(member)[0] == '\0') {
+				if (Z_STRLEN_P(member) == 0) {
+					zend_error(E_ERROR, "Cannot access empty property");
+				} else {
+					zend_error(E_ERROR, "Cannot access property started with '\\0'");
+				}
+			}
 		}
 	}
 
-- 
2.40.0